2022 IEEE International Conference on Communication, Networks and Satellite (COMNETSAT)

Intrusion Detection using Deep Neural Network

Algorithm on the Internet of Things
Syariful Ikhwan Adi Wibowo Budi Warsito
a
Doctoral Program of Information System Computer Science Informatics Statistics Department of Science and
School of Postgraduate Studies Department of Science and Mathematics Mathematics Faculty
Diponegoro University Faculty Diponegoro University
Semarang, Indonesia Diponegoro University Semarang, Indonesia
2022 IEEE International Conference on Communication, Networks and Satellite (COMNETSAT) | 978-1-6654-6030-9/22/$31.00 ©2022 IEEE | DOI: 10.1109/COMNETSAT56033.2022.9994499

Semarang, Indonesia [email protected]

bD3 Telecommunication Engineering [email protected]
Institut Teknologi Telkom Purwokerto
Banyumas, Indonesia
[email protected]

Abstract— The increasing use of IoT devices on future to improve the IDS's ability to detect known and unknown
networks is very helpful for humans in their lives. However, the attacks [4].
increase in devices connected to IoT networks also increases the
potential for attacks against those networks. Vulnerabilities in In [5] explained that Denial of Service, Data Type
Internet of Things (IoT) networks can be exposed at any time. Probing, Malicious Control, Malicious Operation, Scan,
Artificial intelligence can be used to protect the IoT network by Spying, and Wrong are attacks and anomalies that can cause
being able to detect attacks on the network so that they can be failures in IoT systems. To counter the attacks, tests were
prevented. In this study, network detection was carried out using carried out using the Logistic Regression (LR) algorithm,
the Deep Neural Network (DNN) algorithm. The test was carried
out using the UNSW Bot-IoT dataset with a comparison of
Support Vector Machine (SVM), Decision Tree (DT),
training data of 75% of the overall data. The results obtained Random Forest (RF), and Artificial Neural Network (ANN)
show the ability of the algorithm to detect attacks on average with with the Distributed Smart Space Orchestration System
99.999% accuracy. The validation loss and training loss look very (DS2OS) dataset. The results obtained show that Random
small. In this study, there is a validation loss that still occurs in Forest has a better performance than other algorithms.
overfitting, but the difference is very small. However, in this study, it can be seen that the more data is
Keywords— DNN, IoT, Intrusion Detection, Network, Bot-IoT tested, the ANN's performance is getting closer to RF
Dataset performance.
Detection of traffic anomalies using the proposed Channel
I. INTRODUCTION
Boosted and Residual learning based deep Convolutional
An intrusion Detection System (IDS) is a system that is Neural Network (CBR-CNN) is better than existing machine
used to detect an attack on the network by detecting all packets learning techniques and gives promising results on the
going to the network and then selecting the packet whether it validation set and shows a significant performance
is an attacker group or not [1]. IDS was first introduced in improvement on datasets that have new attacks [6]. Another
1980. Since then, it has developed using various methods to method based on a hybrid neural network is also proposed to
detect attacks. There are several things that later became detect anomalies by analyzing certain features [7]. A one-
important issues in the development of IDS. The issue is the dimensional convolution network is implemented to analyze
ability of IDS to separate between attacks that are real attacks sequence features in a hybrid neural network, while a deep
and attack that are not attacks[2]. Sometimes the IDS neural network is used to study the characteristics of high-
incorrectly identifies the real attack and considers the actual dimensional feature vectors including general statistical
access to be an attack. The ability of IDS to detect a large features and environmental features. It is concluded that the
number of passing packets at one time is also an issue that is proposed method can be applied to anomaly detection
quite important to be resolved. Another issue that the applications with reasonable performance.
researchers focus on is the changing attack patterns that occur
over time. Attacks that have not been previously known, Network infrastructure is more vulnerable to cyber-attacks
termed “unknown attacks”, are then difficult to detect by IDS. because it is connected to the internet. The most widely used
attacks are distributed denial of service (DDoS) attacks that
The application of intrusion detection on Internet of disrupt services. The most important factor in combating
Things (IoT) networks is currently an interesting research DDoS attacks is early detection and segregation of network
topic. This is based on predictions that, in the future, the use traffic. Research [8] proposes using a deep neural network as
of IoT technology will continue to grow rapidly. IoT devices a deep learning model that detects DDoS attacks on packet
send various data packets to the internet network in continuous samples captured from network traffic. The results of the
and massive amounts. Therefore, it is not possible to detect experiment conducted on the CICDDoS2019 dataset
intrusion using traditional methods. Detection of attacks on containing the types of DDoS attacks created in 2019 were
IoT can be grouped in two ways, namely by using statistics observed. It was observed that attacks on network traffic were
and using a machine learning approach. The development of detected with 99.99% success, and the attack types were
machine capabilities in the field of artificial intelligence is classified with an accuracy rate of 94.57%. The high accuracy
then proposed to be a better way to solve problem of detecting values obtained indicate that deep learning models can be used
attacks [3]. Various machine learning methods are then used effectively in combating DDoS attacks.

978-1-6654-6030-9/22/$31.00 ©2022 IEEE 84

Authorized licensed use limited to: FLORIDA INTERNATIONAL UNIVERSITY. Downloaded on August 18,2023 at 18:31:46 UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE International Conference on Communication, Networks and Satellite (COMNETSAT)

The research in this paper examines the ability of Deep non-numeric values are removed, one feature that is used as a
Neural Network (DNN) to recognize attacks contained in a marker feature is excluded from deletion. The selection of the
number of datasets. The tested dataset consists of a set of features used will greatly affect the results obtained later [11].
separated data. Then testing is also carried out on the data that In this study, the feature column used as a marker is the
has been collected in large quantities. The contribution of this category column. A summary of all the features used in this
paper is first to determine the ability of DNN to recognize study can be seen in Table 1.
attacks or not on small datasets. The implementation is done
by analyzing the dataset, which is divided into several files. DNN is a subtype of MLP (Multilayer Perceptron), a sort
of Feed Forward Neural Network (FFN) with more than two
Second, knowing the capabilities of DNN when the data
provided is in large quantities. The dataset used is a collection layers, which has one input layer, one output layer, and more
than one hidden layer. Each layer contains a number of
of the previous dataset. Third, compare DNN capabilities
when the data is small and when the data is large. neurons, all of which are fully linked to one another in the
forward direction. Deep Neural Network uses a feature vector
II. METHODOLOGY as its input. This vector size always has a fixed length.
Resizing the feature vector means recreating the entire neural
The purpose of this study is to apply a deep neural network network. Although feature vectors are called "vectors", this is
algorithm to IoT network traffic. The dataset used is the Bot- not always the case [12]. In this study, 1-dimensional vector
IoT dataset created by University of New South Wales input was used.
(UNSW) Center for Cyber Security (ACCS) Canberra,
Australia (in the Cyber Range Labs)[9] [10]. This dataset was The IoT is subject to various types of attacks due to
created using smart home devices. The smart home devices vulnerabilities present in devices. Due to the many features of
include weather monitoring systems, smart cooling devices, IoT network traffic, machine learning models take time to
smart lights, smart door opening and closing systems, and detect attacks [13]. Feature selection or reduction is an
others. The traffic on the network was a mix of regular and important process for an intrusion detection system (IDS) in
botnet traffic. The source files for the dataset are offered in a finding optimal features. Irrelevant features present in the data
variety of forms, such as the original pcap files, the produced set increase the load on computing resources and affect system
argus files, and csv files. To help with labeling, the files were performance [14]. Table 1 displays the features and feature
divided based on attack category and subcategory. More than names. All features found in the dataset are set as headers.
72.000.000 records can be found in the 69.3 GB-sized Then after all the headers are given, the values other than
collected pcap files. The extracted flow traffic is 16.7 GB in numeric are omitted so that it can be seen in the second row in
size and is in csv format. The DDoS and DoS attacks are Table 1, there are 21 features used in the analysis process. An
further categorized according to the protocol employed in the explanation of the names of the features shown in Table 1, can
dataset, which also includes OS and Service Scan, be seen in the study [15].
Keylogging, and Data Exfiltration assaults.
TABLE I. BOT-IOT DATASET FEATURES
In this study, the dataset used is a dataset that has been in
the form of a CSV file extracted from the raw data and then Features Features Name
shared publicly. The file used is only a small part of the entire All Features pkSeqID, Stime, flgs, proto, saddr, sport, daddr,
CSV file. Files are then divided into two groups namely small dport, pkts, bytes, state, ltime, seq, dur, mean,
and large. The dataset used for the small category has a total stddev, smac, dmac, sum, min, max, soui, doui,
sco, dco, spkts, dpkts, sbytes, dbytes, rate, srat
frame of 1,000,000 lines, consisting of attack and normal e, drate, attack, category, subcategory
frame. There are 10 parts of the dataset, each of which has a
different number of attacks. The comparison between training Features used pkSeqID, stime, pkts, bytes, ltime, seq, dur,
data and validation data is 75% and 25%. Data comparison mean, stddev, sum, min, max, spkts, dpkts,
split is done automatically using the train_test_split library in sbytes, dbytes, rate, srate, drate, attack, category
Python.
On a large number of datasets, the test is performed by The next phase is the preprocessing phase. At this phase,
combining the datasets 1 to 5 and the combined datasets 6 to we encode the feature vector into two functions. The first is to
10. So, we get two files, each containing 5 million lines of encode it into the z-score function, and the second is to create
frame. All data were analyzed using Python on the a dummy variable from the category column. After the
infrastructure provided by Google, namely Google Colabs. preprocessing phase is complete, the next step is to train the
Frame attacks on small and large groups consisting of DoS, neural network to classify data in the category column. In this
Theft, and Reconnaissance attacks. test, two hidden layers were carried out. The results obtained
are then used to display the values of training loss, validation
The flow of testing the dataset in this study was carried out loss, and the accuracy value of the model.
in several phases. First, the dataset was inputted and read in
the form of a csv file extension. The imported dataset does not Accuracy refers to the amount of data is predicted to be
yet have a header; therefore, the data is then given a header correct for the entire test dataset. If the accuracy value
according to the column description used. The headers increases, then the registered model becomes right. Accuracy
represent the features that will be used in data analysis. Each is calculated as
column is a feature that is different from the other columns. 𝑇𝑃+𝑇𝑁
The next step is to delete the columns that have NaN values 𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = 𝑇𝑃+𝑇𝑁+𝐹𝑃+𝐹𝑁
(1)
(no value) and columns that have values other than numeric.
Values other than numeric are removed because the machine
can only calculate numeric values. This is done so that the where, true positive (TP) is when the model classifies the
trend value of the analyzed data can be calculated. Even if all attack as an attack. True negative (TN) is when the model

85
Authorized licensed use limited to: FLORIDA INTERNATIONAL UNIVERSITY. Downloaded on August 18,2023 at 18:31:46 UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE International Conference on Communication, Networks and Satellite (COMNETSAT)

classifies normal traffic as normal. False positive (FP) is when Dataset 1 Dataset 2
the model classifies normal traffic as an attack while False
negative (FN) is when the model classifies an attack as normal
traffic.
The loss function is the best parameter, and using it is
crucial for getting better results. The difference between the
goal and predicted values can be calculated using the loss
function. It attempts to learn a function's approximate identity
by minimizing reconstruction error during the learning phase.
(a) (b)
The loss function aids in determining the degree to which the
predicted value deviates from the desired value. To determine Dataset 3 Dataset 4

the loss function and categorize the assault, the target and
features were fed into the model.
III. RESULTS AND DISCUSSION
The tests we have carried out present results that describe
the ability of the DNN algorithm to study the data provided
and then validate the model that has been obtained from the
(c) (d)
training. The dataset used in the training is a public dataset that Dataset 6
Dataset 5
is generally available. Thus it can be seen how the DNN
algorithm can recognize intrusions. The tests carried out got
the results as shown in Table 2. Each dataset tested got the best
value in a fairly good range. The accuracy obtained is in the
range of 99.99888% to 100%. These values are obtained after
5 epochs of repetition. In the tests made, limited to 5 epochs,
it is hoped that later the system will provide the same
treatment for each dataset.
(e) (f)
TABLE II. TEST RESULTS
Dataset 7 Dataset 8

Total Frame Norm Accuracy

Test Attack Category
(rows) al (%)

Dataset 1 1,000,000 1993 998,007 DoS 100

169,840 DoS
Reconnaiss
Dataset 2 1,000,000 4941 99.9988
823,632 ance

1,587 Theft (g) (h)

Dataset 9 Dataset 10
Dataset 3 1,000,000 107 999,893 DoS 100

Dataset 4 1,000,000 98 999,902 DoS 99.9996

Dataset 5 1,000,000 76 999,924 DoS 99.9996

Dataset 6 1,000,000 33 999,967 DoS 100

Dataset 7 1,000,000 41 999,959 DoS 100 (i) (j)

Dataset 8 1,000,000 27 999,973 DoS 100 Fig. 1. Graph of the results of testing the DNN algorithm on datasets.

Dataset 9 1,000,000 38 999,962 DoS 100 TABLE III. TEST RESULTS LARGER GROUP

Dataset 10 1,000,000 30 999,970 DoS 100 Total

Norm Accuracy
Test Frame Attack Category
al (%)
(rows)
Figure 1 shows a graph of the training loss and accuracy
loss that occurred. In this graph, it is known that the trend of 3169559 DoS
Dataset Reconnais
loss of accuracy and loss of training is good. Loss training can 1-5
5,000,000 7215
1821639 sance
99.9997
follow loss validation in 8 datasets, while in datasets 4 and 5
(Fig.1(d) and Fig.1(e)), loss validation and loss training do not 1587 Theft
find any similarities. The loss of training that occurs in the test, Dataset
5,000,000 169 4999831 DoS 99.9999
6-10
as shown in Fig. 1, begins to decrease significantly during the
first epoch. Then, the training loss value tends to remain the The test results in the second scenario, namely in the larger
same until the end of the training. data group, can be seen in Table 3 that the accuracy value is
not much different when carried out in the first scenario. The
accuracy value is 99.999%. The value obtained is almost the

86
Authorized licensed use limited to: FLORIDA INTERNATIONAL UNIVERSITY. Downloaded on August 18,2023 at 18:31:46 UTC from IEEE Xplore. Restrictions apply.
 2022 IEEE International Conference on Communication, Networks and Satellite (COMNETSAT)

same as the test in the first scenario. As explained earlier that balance of the data so that the model obtained becomes more
the first test uses 1 million rows of data while the second tested. Various dataset balancing methods can be used at the
scenario uses 5 million rows of data. When compared, we get preprocessing phase.
a graph that is almost similar between the first and second
scenarios. This means that the model has been as expected. REFERENCES
From Table 2 can also be seen that the addition of the number [1] Z. Zhang, Q. Liu, S. Qiu, S. Zhou, and C. Zhang, “Unknown
of rows used in the model does not affect the results obtained. Attack Detection Based on Zero-Shot Learning,” IEEE Access,
Figure 2 shows the graph obtained in the large group test. vol. 8, pp. 193981–193991, 2020, doi:
10.1109/ACCESS.2020.3033494.
Figure 2(a) shows that there is overfitting but not too big. It [2] L. N. Tidjon, M. Frappier, and A. Mammar, “Intrusion Detection
should be because datasets 4 and 5 resulting bad results such Systems : A Cross-Domain Overview,” IEEE Communications
as shown in Fig. 1. It can be seen that the trend of validation Surveys & Tutorials, vol. 21, no. 4, pp. 3639–3681, 2019.
loss and train loss has followed each other. This means that [3] A. S. Alzahrani, R. A. Shah, Y. Qian, and M. Ali, “A novel method
the model made works well and meets expectations. for feature learning and network intrusion classification,”
Alexandria Engineering Journal, vol. 59, no. 3, pp. 1159–1169,
Dataset 1-5 Dataset 6-10 2020, doi: 10.1016/j.aej.2020.01.021.
[4] H. Liu and B. Lang, “Machine learning and deep learning methods
for intrusion detection systems: A survey,” Applied Sciences
(Switzerland), vol. 9, no. 20, 2019, doi: 10.3390/app9204396.
[5] M. Hasan, M. M. Islam, M. I. I. Zarif, and M. M. A. Hashem,
“Attack and anomaly detection in IoT sensors in IoT sites using
machine learning approaches,” Internet of Things (Netherlands),
vol. 7, p. 100059, 2019, doi: 10.1016/j.iot.2019.100059.
[6] N. Chouhan, A. Khan, and H. ur R. Khan, “Network anomaly
detection using channel boosted and residual learning based deep
(a) (b) convolutional neural network,” Applied Soft Computing Journal,
vol. 83, p. 105612, 2019, doi: 10.1016/j.asoc.2019.105612.
Fig. 2. Graph of the results of testing the DNN algorithm on a larger [7] C. Ma, X. Du, and L. Cao, “Analysis of multi-Types of flow
amount of data. features based on hybrid neural network for improving network
anomaly detection,” IEEE Access, vol. 7, pp. 148363–148380,
As shown in Table 2 can be said that DNN is able used and 2019, doi: 10.1109/ACCESS.2019.2946708.
developed to detect intrusions on IoT networks. Further [8] A. E. Cil, K. Yildiz, and A. Buldu, “Detection of DDoS attacks
development will also be usefully made in prevention efforts with feed forward based deep neural network model,” Expert Syst
Appl, vol. 169, no. December 2020, p. 114520, 2021, doi:
against such intrusions. That can be addressed by adding a 10.1016/j.eswa.2020.114520.
firewall and the like on the networks. If the network is entered [9] UNSW, “Bot-IoT Dataset,” 2018.
by a suspicious intrusion as recognized by the intrusion https://cloudstor.aarnet.edu.au/plus/s/umT99TnxvbpkkoE?path=
detector, the firewall acts to block the incoming intrusion. %2FCSV%2FEntire Dataset (accessed Dec. 22, 2021).
Our work is similar to that carried out in [16], but in the [10] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull,
“Towards the development of realistic botnet dataset in the Internet
study they are carried out unsupervised feature learning using of Things for network forensic analytics: Bot-IoT dataset,” Future
the nonsymmetric deep autoencoder (NDAE) method on the Generation Computer Systems, vol. 100, pp. 779–796, 2019, doi:
NSL-KDD dataset. The classifier used is stacked NDAEs. 10.1016/j.future.2019.05.041.
While in our research, we use supervised learning features and [11] C. Kalimuthan and J. Arokia Renjit, “Review on intrusion
the UNSW Bot-IoT dataset. Research [17] uses a vector detection using feature selection with machine learning
convolutional deep learning (VCDL) approach to analyze techniques,” Mater Today Proc, vol. 33, pp. 3794–3802, 2020, doi:
10.1016/j.matpr.2020.06.218.
anomalies in IoT traffic using all Bot-IoT dataset traffic [12] J. Heaton, Applications of Deep Neural Networks, 1st ed. Heaton
records. The results obtained show an accuracy of 99.74%. Research, Inc., 2020.
The results obtained are better than other comparison [13] P. Nimbalkar and D. Kshirsagar, “Feature selection for intrusion
methods. detection system in Internet-of-Things ( IoT ),” ICT Express, vol.
7, no. 2, pp. 177–181, 2021, doi: 10.1016/j.icte.2021.04.012.
IV. CONCLUSION [14] D. Kshirsagar and S. Kumar, “An efficient feature reduction
method for the detection of DoS attack,” ICT Express, vol. 7, no.
Intrusion detection in this study was implement using the 3, pp. 371–375, 2021, doi: 10.1016/j.icte.2020.12.006.
DNN algorithm on the UNSW BoT-IoT dataset. The results [15] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull,
obtained after the testing was very good. Thus, it can be said “Towards the development of realistic botnet dataset in the Internet
of Things for network forensic analytics: Bot-IoT dataset,” Future
that DNN can be applied to distinguish between attacks and Generation Computer Systems, vol. 100, pp. 779–796, 2019, doi:
non-attacks on IoT networks. In the tests carried out, the 10.1016/j.future.2019.05.041.
feature elimination process at the preprocessing stage will [16] N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, “A Deep Learning
determine the results obtained. Elimination of features in this Approach to Network Intrusion Detection,” IEEE Trans Emerg
study is still manually. In the future, it is hoped that automatic Top Comput Intell, vol. 2, no. 1, pp. 41–50, Feb. 2018, doi:
feature selection will be carried out by the system. Features 10.1109/TETCI.2017.2772792.
[17] B. A. Bhuvaneswari and S. S., “Anomaly detection framework for
other than numeric can also actually be considered to be Internet of things traffic using vector convolutional deep learning
included in the calculation. This is done by converting it to approach in fog environment,” Future Generation Computer
numeric using the data encoding process. Further research in Systems, vol. 113, pp. 255–265, 2020, doi:
the application of this DNN, how to make the attack dataset 10.1016/j.future.2020.07.020.
and normal balanced. Subsequent research must consider the

87
Authorized licensed use limited to: FLORIDA INTERNATIONAL UNIVERSITY. Downloaded on August 18,2023 at 18:31:46 UTC from IEEE Xplore. Restrictions apply.